b'AUDIT OF NARA\'S NETWORK INFRASTRUCTURE\n\n\n           OIG Report No. 10-07\n\n\n              April 28, 2010\n\n\x0c                                                                      OIG Audit Report No. 10-07\n\n\nEXECUTIVE SUMMARY\n\nNetworks are collections of interconnected computer systems and devices allowing\nindividuals to share resources, such as computer programs and information. Because\nsensitive programs and information are stored on or transmitted along networks,\neffectively securing networks is essential to protecting computing resources and data\nfrom unauthorized access, manipulation, and use. Organizations secure their networks, in\npart, by installing and configuring network devices that permit authorized network\nservice requests, deny unauthorized requests, and limit the services available on the\nnetwork. Organizations also secure their networks by ensuring appropriate physical and\nlogical access controls are in place to restrict unauthorized access to these network\ndevices.\n\nWe audited NARA\xe2\x80\x99s network infrastructure to determine whether NARA had effectively\nimplemented appropriate physical security and access controls to protect network\nresources. In addition, we reviewed whether network components provide adequate\nnetwork security.\n\nOur review revealed that appropriate physical security and access controls had not been\nimplemented which left network equipment vulnerable to potential compromise, theft, or\ndamage. These weaknesses could jeopardize the availability of NARANet. We also\nidentified several opportunities to improve security and operation of the network.\nSpecifically:\n   \xe2\x80\xa2\t The Chief Information Officer and her staff were unable to effectively manage\n      and assess the overall network security of NARA\xe2\x80\x99s infrastructure because a\n      complete and accurate network diagram was not maintained;\n   \xe2\x80\xa2\t Improper firewall management and configuration created vulnerabilities in the\n      network and increased the amount of time it takes traffic to pass into the network;\n   \xe2\x80\xa2\t Firewall log files were not being reviewed to identify inappropriate activity or\n      potential threats;\n   \xe2\x80\xa2\t Multiple weaknesses in logical access controls increased the risk of unauthorized\n      access to network devices and servers; and\n   \xe2\x80\xa2\t Additional physical security and environmental controls are needed at NARA\n      Regional Archives, Record Centers, and Presidential Libraries to restrict physical\n      access to computer resources and protect them from intentional or unintentional\n      loss or damage.\n\nThis report contains 18 recommendations which, upon implementation, will assist NARA\nin providing appropriate management and technical controls over the network. In\nresponse to a draft of this report, the Assistant Archivist for Information Services\nconcurred with 17 of the 18 recommendations.\n\n\n\n\n                                          Page 1\n                       National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 10-07\n\n\nBACKGROUND\n\nNARANet is NARA\xe2\x80\x99s General Support System that processes, stores and communicates\ndata between NARA employees, vendors, contractors and clients at various NARA\nlocations. According to the current draft version of the System Security Plan for\nNetwork Infrastructure, the infrastructure includes but is not limited to firewalls, routers,\nswitches, servers, computers and storage devices used by staff and contractors both\ninternally and remotely. The primary function of NARANet is to facilitate the\ncommunication, storage, and processing of agency information for use internally and to\nprovide a completed product and/or service to other Federal agencies and the general\npublic.\n\nNARA\xe2\x80\x99s Wide Area Network (WAN) infrastructure connects all NARA Records\nCenters, Regional Archives, and Presidential Libraries via a Frame Relay Network. This\ninfrastructure integrates and links all locations into one logical NARA Network by\nproviding each site\xe2\x80\x99s Local Area Network (LAN) with an integration point to access the\nWAN. NARA is in the process of replacing the current frame-relay network with a\nMulti-Protocol Label Switching network.\n\nThe Office of Information Services has responsibility for the operation of NARANet as\nthe system owner and is also responsible for security implementation within the system.\nIT support services are provided by contract. NARA\'s IT and Telecommunications\nSupport Services (NITTSS) contractor manages and operates NARA\xe2\x80\x99s network\n(NARANet). IT support for the Regional Records Services Facilities and Presidential\nLibraries are provided by Field Office Systems Administrators (FOSA), who are\nresponsible for providing day-to-day operations and help desk support, systems\nadministration, general maintenance and preventative maintenance support for all\nsystems related to the NARANET environment.\n\nPREVIOUS AUDIT REPORTS\n\nThe NARA OIG has issued three reports over the last five years identifying weaknesses\nrelated to the network infrastructure. These weaknesses included: a) Lack of firewall\npolicies and procedures and a lack of regular ongoing scanning and testing of NARANet\n(OIG Report 06-01); b) NARA\xe2\x80\x99s controls over system administrator accounts were weak\nand needed immediate improvement (OIG Report 06-11); and c) unauthorized devices,\nsuch as hubs and multifunction copiers were connected to NARANet without approval\nfrom the Office of Information Services (OIG Report 07-10).\n\nOBJECTIVE, SCOPE, METHODOLOGY\n\nThe objective of our audit was to determine whether NARA had effectively implemented\nappropriate physical security and access controls to protect network resources. In\naddition, we were to also review whether network components provide adequate network\nsecurity.\n\n\n\n                                           Page 2\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 10-07\n\n\nThe audit was conducted at Archives II in College Park, Maryland and selected field\noffices. To accomplish the audit objectives we interviewed representatives of the Office\nof Information Services (NH) and IT Support contractors. We reviewed National\nInstitute of Standards and Technology (NIST) Special Publications 800-53\n\xe2\x80\x9cRecommended Security Controls for Federal Information Systems and Organizations,\xe2\x80\x9d\nRevision 3, August 2009; 800-41 \xe2\x80\x9cGuidelines on Firewalls and Firewall Policy,\xe2\x80\x9d\nRevision 1, September 2009; and 800-115 \xe2\x80\x9cTechnical Guide to Information Security\nTesting and Assessment,\xe2\x80\x9d September 2008. We also reviewed NARA\xe2\x80\x99s IT Security\nRequirements, version 5.5, May 29, 2009, and NARA IT Security Methodologies for\n\xe2\x80\x9cAccess Control,\xe2\x80\x9d \xe2\x80\x9cPhysical and Environmental Protection,\xe2\x80\x9d \xe2\x80\x9cSystem and\nCommunication Protection,\xe2\x80\x9d and \xe2\x80\x9cIdentification and Authentication.\xe2\x80\x9d\n\nTo observe physical security controls protecting network resources we visited five\nPresidential Libraries \xe2\x80\x93 Dwight Eisenhower, Lyndon Johnson, Jimmy Carter, Ronald\nReagan, and George Bush; three Record Centers \xe2\x80\x93 Washington National Records Center\n(Suitland, MD), Southeast Region (Ellenwood, GA), and Pacific Region (Riverside, CA);\nand two Regional Archives facilities \xe2\x80\x93 Southeast (Morrow, GA) and Pacific (Laguna\nNiguel, CA). At each of these facilities we observed the location of network equipment\nand assessed whether the equipment was adequately protected from interruptions in\ncomputer services, physical damage, and theft. For those locations that had a wireless\nnetwork, we reviewed the controls in place to secure the wireless network. We also\nvisited the data center supporting the Electronic Records Archive (ERA) system located\nin Rocket Center, W.V. and reviewed physical security and environmental controls over\nthe equipment.\n\nTo review access controls in place to protect network resources we reviewed whether\nsystem and network administrators were appropriately identified and authenticated.\nSpecifically, we reviewed administrator accounts on the servers located at the field sites\nwe visited. We also reviewed the mechanisms in place used to authenticate to the\nnetwork routers, switches, and firewalls.\n\nTo review the security of network components we attempted to review the placement of\nrouters and switches within the network. Our review in this area was limited by the lack\nof a complete network drawing. We also reviewed the configuration of the main NARA\nfirewall and determined whether the rulesets were documented. We originally planned to\nperform vulnerability scans of the network however, NH was unable to provide us with a\ncurrent listing of IP addresses.\n\nOur audit work was performed between June 2009 and February 2010. We conducted\nthis performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n                                           Page 3\n                        National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 10-07\n\n\nFINDINGS AND RECOMMENDATIONS\n\nReview of Network Devices\n\nInaccurate and Incomplete Network Diagram\n\nThe Chief Information Officer (CIO) and her staff were unable to effectively manage and\nassess the overall network security of NARA\xe2\x80\x99s infrastructure. This occurred because a\ncomplete and accurate network diagram was not maintained. Specifically, NH officials\ndid not have a process in place to update and maintain an accurate network diagram and\nbelieved it was the contractor\xe2\x80\x99s responsibility to do so. NIST SP 800-53 requires NARA\nto maintain a current baseline configuration of NARANet which includes a network\ntopology. By not having a complete network diagram, NH officials are not aware of\npotential security vulnerabilities that may exist in the network.\n\nNetwork drawings are important because they show the overall layout of the network\ninfrastructure and where devices are physically located. They also show the relationship\nand inter-connectivity between devices and where possible intrusive attacks could take\nplace. Therefore, they assist in the management and auditing of the security of the\nnetwork infrastructure. We requested a current official drawing of the NARANet\ninfrastructure from the Chief Technology Officer (CTO). NH officials provided an\n\xe2\x80\x9cunofficial\xe2\x80\x9d topology drawing, stating that the topology was labeled as \xe2\x80\x9cunofficial\xe2\x80\x9d to\ndistinguish it from nonexistent \xe2\x80\x9cofficial\xe2\x80\x9d drawings. In addition, we also obtained a copy\nof a network infrastructure drawing from the IT Services contractor which illustrated the\nphysical connectivity of the network devices.\n\nWe found neither drawing was comprehensive, as all subnets and network equipment\nwere not shown on the diagrams. For example, the connection to NARA\xe2\x80\x99s Virtual\nPrivate Network (VPN) 1 was not shown on either drawing. The Chief Information\nSecurity Officer (CISO) and the CTO believed the VPN switch and gateway for the new\nremote access system were outside the firewall but could not verify if that was the case.\nAccording to NIST SP 800-41, placing the VPN behind the firewall would require VPN\ntraffic to be passed through the firewall while encrypted, preventing the firewall from\ninspecting the traffic. Additional items not shown on the topology included:\n    \xe2\x80\xa2    Connection to the Electronic Records Archive (ERA) system;\n    \xe2\x80\xa2    Connection to the Public Access PC\xe2\x80\x99s available to researchers;\n    \xe2\x80\xa2    Wireless network connections; and\n    \xe2\x80\xa2    Location of other firewalls in the internal infrastructure.\n\nWe also found the information on the topology drawing was not accurate. For example,\nthe topology identified the webmail and email servers located inside the network.\nAccording to NIST SP 800-45, \xe2\x80\x9cGuidelines on Electronic Mail Security,\xe2\x80\x9d locating\nwebmail and email servers inside the network is inadvisable because it exposes internal\n\n1\n A Virtual Private Network provides secure network communications across untrusted networks by\nencrypting traffic.\n\n                                             Page 4\n                          National Archives and Records Administration\n\x0c                                                                           OIG Audit Report No. 10-07\n\n\nnetwork components to additional risks. Mail servers are often targets of attackers and\nonce the internal mail server was compromised, the attacker would have access to the\ninternal network. According to the CISO, the webmail server was not located in the\ninternal network, however, the CISO added he would need to check with the IT Services\nDivision (NHT) to make sure his statement was correct.\n\nWe identified several potential areas of concern on the network topology:\n    \xe2\x80\xa2\t NARA uses only one firewall between its internal private network and the outside\n       public network. This solution does not provide redundancy for the network and\n       could affect the availability of NARANet. More reliability could be achieved by\n       implementing high-availability firewalls which allow one firewall to take over for\n       another if the first firewall fails or is taken offline for maintenance. These\n       firewalls are deployed at the same spot in the network topology so that they both\n       have the same external and internal connections.\n    \xe2\x80\xa2\t NARA allows direct access from another Government agency into the internal\n       network. According to NH officials, the router configuration restricts traffic into\n       the network, however they had not reviewed the router configuration to ensure\n       their assumptions were correct. According to NIST SP 800-41, organizations\n       should use firewalls wherever their internal networks and systems interface with\n       external networks and systems. Placing a firewall between NARA\xe2\x80\x99s internal\n       network and the outside agency could prevent unauthorized access to NARA\n       systems and resources and would also log traffic going into and out of our\n       network.\n    \xe2\x80\xa2\t NARA allows web servers in the Demilitarized Zone (DMZ) 2 to connect directly\n       into the internal network. For example, traffic from the Internet goes into the\n       firewall and is routed to these web servers. Traffic can pass between these web\n       servers and NARA\xe2\x80\x99s internal network without first going back through the\n       firewall. According to NIST SP 800-41, all connections from the DMZ to the\n       internal network should go through the firewall so that firewall policies are\n       applied.\n\nNH officials did not have a process in place to update and maintain an accurate network\ndrawing. The network topology we reviewed was created by the previous contractor and\nhas not been updated since the new contractors began managing the network in April\n2009. The CISO stated that the network drawings were not updated as often as he would\nlike because he would want the network drawings refreshed every time there was a\nchange in the network such as a new subnet or new device installed.\n\nAccording to the CISO, the IT Services contractor was responsible for preparing network\ndiagrams however; in reviewing the contract, the CISO found that the contract does not\nhave a schedule for delivering or updating network diagrams on a regular basis. Instead,\nthe CISO stated he would be able to request diagrams and receive them on an ad-hoc\n\n2\n The DMZ is a network segment inserted as a \xe2\x80\x9cneutral zone\xe2\x80\x9d between an organization\xe2\x80\x99s private network\nand the Internet.\n\n                                              Page 5\n                           National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 10-07\n\n\nbasis. According to the CISO, this is acceptable because the cost of maintaining accurate\nand valid enterprise level diagrams on a continuous basis was not justified by any\nbusiness need for that level of information. In addition, NH officials believed the high-\nlevel topology diagrams were \xe2\x80\x9cgood enough\xe2\x80\x9d for initiating analytical work.\n\nThe IT Services contractor created a physical connectivity drawing by hand, logging onto\nindividual devices and using the \xe2\x80\x9cshow IP route\xe2\x80\x9d command. According to the contractor,\nhis drawing was originally created for the network team\xe2\x80\x99s use and not at the request of\nNH officials. The contractor was not aware of any automated tools at NARA that could\nbe used to create a network diagram even though the Enterprise Architecture lists two\ntools already in use by NH which could be used to create and maintain network diagrams.\nThe use of automated tools could assist NH in updating and maintaining an accurate\ntopology.\n\nThe CISO believed it was possible to maintain network security without accurate network\ndiagrams. We question this assertion because without a current, detailed network\ntopology the CISO lacks critical information necessary to assess the network\nenvironment and secure NARA\xe2\x80\x99s IT Infrastructure from potential compromise.\n\nRecommendations\n\n1. The Assistant Archivist for Information Services/CIO should develop a\ncomprehensive topology of the current network environment and maintain the drawing\nby updating the drawing periodically (i.e. monthly or quarterly).\n\n2. The Assistant Archivist for Information Services/CIO should develop network\ndiagrams for each field office.\n\n3. The Assistant Archivist for Information Services/CIO should assess and document the\nrisks involved with: a) the use of one firewall; b) the direct connection by an external\nagency into NARA\xe2\x80\x99s internal network; and c) traffic that can pass between a web server\nand the internal network without first going through the firewall.\n\nManagement Comments\n\nThe Assistant Archivist for Information Services concurred with the recommendations.\n\n\nBoundary Protection: Firewall Rules and Policy Needs Improvement\n\nThe NARA firewall configuration included numerous unnecessary rules along with two\nrules which allow all traffic to go through the firewall. This occurred because NH has\nnot created a formal firewall policy to identify the network traffic that needs to pass into\nand out of NARA\'s network and did not regularly review the firewall configuration.\nAccording to NIST SP 800-41, a firewall policy dictates how firewalls should handle\nnetwork traffic for specific IP addresses and address ranges, protocols, applications, and\n\n\n                                           Page 6\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 10-07\n\n\ncontent types based on the organization\xe2\x80\x99s information security policies. It is important to\nperiodically test to verify that firewall rules are functioning as expected. As a result,\nNARA\xe2\x80\x99s firewall may not have the correct ruleset in place to prevent unauthorized access\nto its systems and resources. In addition, unnecessary firewall rules in the configuration\ncreate latency problems in the network.\n\nNetwork traffic into and out of NARANet passes through the main NARA firewall. The\nfirewall takes traffic that has not been checked, checks it against the firewall\'s policy, and\nthen acts accordingly by either passing the traffic along or blocking the traffic.\nAccording to NIST, generally firewalls should block all inbound and outbound traffic\nthat has not been expressly permitted by the firewall policy in order to decrease the risk\nof an attack and to reduce the volume of traffic carried on the organization\'s networks.\nNARA\'s IT Security Methodology follows this best practice, stating NH shall deny\nnetwork traffic by default and shall only allow network traffic by exception.\n\nWe reviewed the main firewall configuration which defines the rule sets for network\ntraffic and found the \xe2\x80\x9cdeny all, allow by exception\xe2\x80\x9d rule was not always followed. We\nalso identified improvements needed in the configuration of the firewall. Specifically:\n\na) The main firewall configuration contained two \xe2\x80\x9cpermit ip any any\xe2\x80\x9d rules on two\naccess control lists which allows all traffic without exception. These statements should\nnot be included in the firewall configuration because they allow all traffic to go through\nthe firewall and do not follow the NARA IT security policy of only permitting traffic by\nexception.\n\nb) The configuration for the firewall was almost 50 pages long and contained many\nunnecessary rules along with text remarks that were not matched with the corresponding\nrules. According to the Cisco PIX Command Reference Guide, the access lists on the\nfirewall have an implicit deny at the end of the list; so unless explicitly permitted, traffic\ncannot pass. Instead of using the implicit deny rule, the NARA firewall contained\nhundreds of rules to deny network traffic to specific IP addresses. Traffic from the\noutside then has to be checked against each one of these rules to determine if it is a\nmatch, increasing the amount of time it takes traffic to pass into the network (if allowed).\n\nc) The St. Louis firewall configuration did not match the NARA main firewall\nconfiguration. As the NARANet failover connection, the St. Louis firewall should have a\nsimilar configuration to the NARA main firewall to ensure only traffic permitted is\nallowed into the network. If a properly configured firewall is not placed at this entry\npoint into NARANet, malicious traffic normally blocked by the main NARA firewall\nwould be able to enter the network. As changes are made to the main firewall\nconfiguration, necessary changes should be replicated on the St. Louis firewall.\n\nNH did not regularly review the firewall configuration to uncover rules that were no\nlonger needed or new requirements that needed to be added to the firewall. An NHT\nofficial agreed their staff should be periodically reviewing the firewall configuration and\nstated that in the past it may have been done informally. In addition, NH has not\n\n\n                                           Page 7\n                        National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 10-07\n\n\nconducted penetration testing to assess the overall security of their network environment.\nAccording to NIST, penetration testing can be used to verify a firewall ruleset is\nperforming as intended. With the award of a new IT Support Services Contract, new\nnetwork administrators began managing the network devices in April 2009. According to\none network administrator, they identified several areas where vulnerabilities existed in\nthe firewall configuration. However, NH had not formally requested a firewall review\nand the contractor had not submitted any recommendations to make changes to the\nfirewall.\n\nAccording to NIST SP 800-41, to improve the effectiveness and security of their\nfirewalls, organizations should create rulesets that implement the organization\xe2\x80\x99s firewall\npolicy while supporting firewall performance. NARA does not have a formal policy\nregarding the firewall ruleset and has not documented a list of traffic which should be\nallowed to pass into and out of the network. We identified confusion between NH offices\nas to whose responsibility it was to create a firewall policy. Without a firewall policy,\nnetwork administrators may be unaware of management\'s expectations for how the\nfirewall should function. To create a ruleset, NARA will need to determine what types of\ntraffic are required, including protocols the firewall may need to use for management\npurposes.\n\nRecommendations\n4. The Assistant Archivist for Information Services/CIO should perform a risk analysis\nto develop a list of the types of traffic needed by the organization.\n\nManagement Comments\nThe Assistant Archivist for Information Services did not concur with the\nrecommendation, stating they conduct risk assessments system-by-system in the C&A\nprocess and do not see a compelling business reason to change this strategy.\n\nAudit Response\nAccording to NIST SP 800-41, before a firewall policy is created, some form of risk\nanalysis should be performed to develop a list of the types of traffic needed by the\norganization and categorize how they must be secured\xe2\x80\x94including what types of traffic\ncan traverse a firewall under what circumstances. This could be performed as part of the\ncertification and accreditation of NARANet and documented in the system risk\nassessment. Therefore, the Assistant Archivist for Information Services should\nreconsider her position on this recommendation.\n\n5. The Assistant Archivist for Information Services/CIO should create a firewall policy\nto establish rules for inbound and outbound traffic and how the firewall will be managed\nand updated.\n\n6. The Assistant Archivist for Information Services/CIO should periodically review the\nfirewall configuration and conduct penetration testing at least annually.\n\n\n\n                                          Page 8\n                       National Archives and Records Administration\n\x0c                                                                               OIG Audit Report No. 10-07\n\n\n7. The Assistant Archivist for Information Services/CIO should review the St. Louis\nfirewall configuration and ensure necessary firewall rules are included.\nManagement Comments\nThe Assistant Archivist for Information Services concurred with the recommendations.\n\nFirewall Logs Not Reviewed and Assessed\n\nFirewall log files were not being reviewed to identify potential threats. This occurred\nbecause the server on which the logs were recorded was removed in June 2009 to be\nreplaced by a new product however, the CIO has not assigned responsibility for\nreviewing the logs. According to NIST SP 800-41, firewall logs and alerts should be\ncontinuously monitored to identify threats. By not reviewing the firewall logs, NARA\nmay not know if attacks or other inappropriate activity have occurred.\n\nAccording to NIST SP 800-41, logging is a critical step in preventing and recovering\nfrom failures as well as ensuring proper security configurations are set on the firewall.\nProper logging can also provide vital information for responding to security incidents. In\naddition, real-time alerts should be set up to notify administrators when important events\nsuch as modifications or disabling of the firewall rules occur on the firewall. Part of\nmanaging the firewall involves continuously monitoring the logs and alerts to identify\nthreats.\n\nPreviously, NH used a server to store the firewall logs. However, the server was\nremoved from operation in June 2009 and has not been replaced. According to an NHT\nofficial, the server was removed due to security vulnerabilities and concerns. Instead of\nreplacing the server, NH officials are in the process of implementing a Security\nInformation Management (SIM) 3 tool which will collate information from multiple\nnetwork services such as firewalls, network and host based intrusion detection services,\nweb servers, and routers. NH has been in the process of installing the SIM tool for over\nthree years now. While the SIM can accept and store logs, it has not been populated with\nrules to analyze the data.\n\nWe found that while firewall logs are currently being sent to the SIM, responsibility for\nreviewing these logs and acting on the information has not been assigned. Network\nadministrators stated that they do not have access to the tool and that contractually their\nresponsibility was only to send logs to the server. An NHI official stated that the security\nsupport contractor was using the SIM however, the support contractor stated that\nresponsibility for monitoring and reporting information in the SIM has yet to be\ndetermined. According to the CISO, firewall logs are currently reviewed on an ad-hoc\n\n\n3\n The SIM tool accepts alert data from devices throughout the network, correlates the data, and can then\ndetermine whether several indicators are related. By correlating the data such as system events, anti-virus\nevents, and vulnerability data, the SIM can determine if an attacked system was vulnerable to the attack\nseen and determine whether the attack succeeded. However, NARA must first develop and implement\nrules that tell the SIM what to correlate.\n\n                                               Page 9\n                            National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 10-07\n\n\nbasis while the concept of operations outlining roles and responsibilities for the new tool\nare being developed.\n\nRecommendations\n8. The Assistant Archivist for Information Services/CIO should assign responsibility to\nthe appropriate individuals to monitor the firewall log alerts to determine if attacks or\ninappropriate activity has occurred.\n9. The Assistant Archivist for Information Services/CIO should expedite implementation\nof the SIM tool.\nManagement Comments\nThe Assistant Archivist for Information Services concurred with the recommendations.\n\nAccess Controls\n\nAccess controls provide reasonable assurance that access to computer resources (data,\nequipment, and facilities) is reasonable and restricted to authorized individuals. The\nGovernment Accountability Office (GAO) defines access controls as including both\nlogical and physical controls. Logical access controls require users to authenticate\nthemselves through the use of passwords or other identifiers and limit the files and other\nresources that authenticated users can access and the actions they can execute. Physical\naccess controls involve restricting physical access to computer resources and protecting\nthem from intentional or unintentional loss or impairment.\n\nLogical Access Controls Need to be Strengthened\n\nWe identified several weaknesses in the logical access controls for network infrastructure\nequipment and selected servers we reviewed. This occurred because adequate controls\nwere not in place and additional oversight over contractor actions was needed. NIST SP\n800-53 and NARA\xe2\x80\x99s IT Security Methodology require unique identification and\nauthentication when accessing an IT system. Without appropriate controls in place, there\nis an increased risk of unauthorized access to network devices and servers.\n\nOur review identified the following weaknesses:\n   \xe2\x80\xa2\t Multifactor authentication was not used for network access to administrator\n      accounts;\n   \xe2\x80\xa2\t An administrator account belonging to a former contractor was shared by the new\n      network administrators;\n   \xe2\x80\xa2\t Network device passwords were not changed immediately after a network \n\n      administrator left; and\n\n   \xe2\x80\xa2\t Servers contained anonymous administrator accounts that may be unnecessary.\nNIST SP 800-53 requires each individual to be uniquely identified and authenticated\nwhen accessing an information system. According to GAO, this occurs through the\n\n\n                                          Page 10\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 10-07\n\n\nimplementation of adequate logical access controls. User authentication establishes the\nvalidity of a user\xe2\x80\x99s claimed identity using mechanisms such as requiring them to provide\nsomething they have (such as a smart card); something they alone know (such as a\npassword or personal identification number); or something that physically identifies them\nuniquely (such as a biometric fingerprint or retina scan). Multifactor authentication is\naccomplished by using a combination of these mechanisms.\n\na.) We found that access to infrastructure devices by network administrators did not meet\nrequirements established by NIST. Specifically, NIST SP 800-53, control IA-2 requires\nthe use of multifactor authentication for network access to privileged accounts. NARA\xe2\x80\x99s\nnetwork administrators used the network to manage the routers, switches, and firewalls\nfrom the computers at their desks instead of having to physically connect to each device.\nAccording to GAO, network access to devices can significantly increase the risk of\nunauthorized access. Therefore, to increase security, identification and authentication\nshould be accomplished using multifactor authentication such as a smart card in\nconjunction with a password. NARA\xe2\x80\x99s network administrators were authenticated using\nonly passwords, which does not meet the multifactor authentication requirement. In\naddition, network administrators had the ability to manage the network devices remotely\nusing the Nortel VPN, which does not use multifactor authentication.\n\nb.) We reviewed the TACACS server log for passed authentications and found a userID\nbelonging to a former network administrator had been used to successfully log into\nNARA devices multiple times over a three month period. Terminated employees who\ncontinue to have access to critical or sensitive resources such as firewalls, routers, and\nswitches pose a major threat to the network. We referred this to OIG Investigations as a\npotential violation of 18 U.S.C. 1030 \xe2\x80\x9cUnauthorized Access to Government Computer\nSystem.\xe2\x80\x9d In a meeting with the CISO, the Lead Network Engineer explained that his\nnetwork team had used this account on several occasions at the start of the new IT\nServices and Support contract in April 2009. According to the Lead Network Engineer,\nthe previous contractor gave the new contractors the password to his account and the\naccount was only enabled when needed. There were at least four individuals who knew\nthe password to this account.\n\nThe use of this account by multiple network administrators was in violation of NARA\xe2\x80\x99s\nIT Security Requirements which does not allow accounts to be used by more than one\nuser. The use of a shared account resulted in a lack of user accountability over the\nactions performed by the network administrators using this account because it would be\nimpossible to determine the specific individual who performed the actions. The IT\nOperations Chief stated the account was only used the first week in April; however, we\nidentified several logins that occurred after that time period including two successful\nlogins in May and two in June. The Lead Network Engineer stated the administrator\naccount has now been deleted.\n\nc.) Network device passwords were not changed immediately after a network\nadministrator left. According to the Lead Network Engineer, he was not directed to\nchange the passwords until the week after the previous network administrator\xe2\x80\x99s departure\n\n\n                                          Page 11\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 10-07\n\n\nand it took several days to change the passwords on all devices. According to the\nStandard Operating Procedure, the passwords for system administrators must be changed\nwhen a systems administrator leaves the program. However, the procedure states NARA\nis responsible for submitting a request for administrator passwords to be changed. The IT\nOperations Chief was not aware of the previous network administrators exact departure\ndate. As a result, there was an increased risk of unauthorized access during that time\nperiod.\n\nd.) We reviewed the administrator accounts on selected servers at NARA field sites and\nfound several servers had excessive administrator accounts. For example, a server\nsupporting the VISTA system at a Presidential Library had 12 users in the\n"Administrators" group on the server. Of the 12 accounts, only three were assigned to\nspecific individuals. Other accounts included a Novell backup account even though this\nwas not a Novell server; two anonymous accounts, the purpose for which no\ndocumentation was available; and an anonymous account for the St. Louis Engineers.\n\nThe IT Security Methodology for Access Control requires that NARA specifically\nauthorize and monitor the use of anonymous accounts and remove, disable, or otherwise\nsecure unnecessary accounts. All of the Windows servers we reviewed, except for one"       (\'"\'"\\\nhad an anonymous administrator account named,               \'. According to the NHT       p if\'...)\nOperations Chief, this account was the built-in administrator account that was renamed\nfor security reasons. While this was true for some of the servers we reviewed, we found\nthat the servers for the VISTA system had both the built-in administrator account and the\n,         , account. No documentation was available regarding the creation and use ofthis\naccount. Additional anonymous administrator accounts, which may be unnecessary,\nwere found on the Windows servers.\nNARA did not have adequate controls in place to prevent these weaknesses in logical\naccess controls. NARA\'s IT Security Methodology for Identification and Authentication\nhas not been updated to reflect the new controls for identification and authentication\nrequired by the latest revision to NIST SP 800-53. In addition, NARA\'s IT Operations\nstaff needs to take a more proactive approach in monitoring actions by the contractor to\nensure NARA access control policy is followed.\n\nRecommendations\n\n10. The Assistant Archivist for Information Services/CIO should implement multifactor\nauthentication for network access to infrastructure devices and update the IT Security\nMethodology for Identification and Authentication to reflect new requirements in NIST\nSP800-53, Revision 3.\n\n11. The Assistant Archivist for Information Services/CIO should periodically review\na) the access list for the central access control (TACACS) server to ensure accounts\nbelonging to terminated staff are secured and b) logs for the central access control server\nto ensure successfullogins belong to current employees or contractors.\n\n\n\n\n                                          Page 12\n                        National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 10-07\n\n\n12. The Assistant Archivist for Information Services/CIO should develop a process to\nensure NHT is alerted to changes in IT contractor staff so that passwords can be changed.\n\n13. The Assistant Archivist for Information Services/CIO should review the\nadministrator accounts on field office servers and delete any unnecessary accounts.\n\nManagement Comments\nThe Assistant Archivist for Information Services concurred with the recommendations.\n\nPhysical and Environmental Protections at Field Sites Need Improvement\n\nWe visited 10 field sites and the ERA data center to observe the controls in place outside\nthe main NARA data center at AII and found that additional physical security and\nenvironmental controls are needed to restrict physical access to computer resources and\nprotect them from intentional or unintentional loss or impairment. According to NARA\xe2\x80\x99s\nIT Security Requirements, NARA must limit physical access to information systems and\nequipment and protect systems against environmental hazards.\n\nPhysical security controls restrict physical access or harm to computer resources and\nprotect these resources from intentional or unintentional loss or impairment. These\ncontrols restrict physical access to computer resources, usually by limiting access to the\nbuildings and rooms in which the resources are housed and by periodically reviewing the\naccess granted, in order to ensure that access continues to be appropriate. Physical\ncontrols also include environmental controls which prevent or mitigate potential damage\nto facilities and interruptions in service. Examples of environmental controls include\nsmoke and water detectors, fire alarms and extinguishers, and uninterruptible power\nsupplies.\n\nPhysical Access Controls to Computer Rooms and Closets\n\nAccess to the areas where network equipment was located was not always limited to\npersonnel responsible for equipment administration and maintenance. This occurred\nbecause key inventories and reviews of badge reader access had not been conducted\nannually, as required by the NARA IT Security Methodology for Physical and\nEnvironmental Protection. By not limiting access to areas where network equipment is\nstored, there is an increased risk of theft of network equipment or loss of network\navailability.\n\nBadge readers were used at four of the facilities we visited to restrict entry of personnel\nto the computer rooms and closets. However we identified several instances where\naccess was not limited to those personnel responsible for equipment administration and\nmaintenance. For example, at one Presidential Library, over 124 NARA and Library\nFoundation employees had access to a closet where IT equipment was stored. As a result\nof our review, the facility manager at that location took immediate action to reduce the\nnumber of staff with access to the room. In another example, we reviewed the 273\nbadges issued at one of NARA\xe2\x80\x99s record centers and found the badge belonging to the\n\n                                         Page 13\n                       National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 10-07\n\n\nformer security manager still had access to the server room. In addition, there were four\nbadges not assigned to a specific individual that had access to the server room. As a\nresult of our review, the facility manager took immediate action and deleted access for\nthese five badges.\n\nAt six locations visited, key locks were used to restrict access to the computer room.\nKeys were generally given to the Field Office System Administrator, the facility\nmanager, and top management. However, at one Presidential Library we identified six\ncopies of the master key were unaccounted for. These master keys could be used to open\nexterior doors as well as the door to the computer room. At another location, one of the\nthree keys to the computer room was unaccounted for.\n\nAccording to NARA\xe2\x80\x99s IT Security Methodology for Physical and Environmental\nProtection, keys and other access devices controlling entry to facilities containing\ninformation systems must be inventoried annually. We found key inventories and\nreviews of badge reader access were not conducted annually as required. For example, at\none site with badge reader access, the facility manager had not considered access to the\ncomputer room and closets as part of their review. The facility manager at one location\ncould not provide any evidence that a key inventory had ever been completed. At a third\nlocation, the last evidence of a key inventory was from 1994.\n\nRecommendation\n\n14. The Archivist should direct the Assistant Archivist for Information Services/CIO, the\nAssistant Archivist for Regional Record Services, and the Assistant Archivist for\nPresidential Libraries to coordinate with the Assistant Archivist for Administration to\ndevelop a mechanism to track access reviews and key inventories for computer rooms\nand other locations where IT network infrastructure equipment is stored at the field sites.\n\nManagement Comments\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\nPhysical Access to Network Equipment and Cables outside the Computer Room\n\nNetwork equipment and cabling stored outside the computer room was not always\nprotected at the same level as equipment inside the computer room. This occurred\nbecause NH did not have the proper controls in place to restrict access to network\nequipment. NIST SP 800-53 controls require the organization to protect network\nequipment and cabling within the facility to minimize potential damage and to minimize\nthe opportunity for unauthorized access. Without adequate protection there is a risk\nnetwork equipment could be stolen or network cables could be tampered with resulting in\na loss of network availability.\n\nAs part of the audit we reviewed the controls in place to protect network equipment\nlocated outside the computer room. We observed that equipment was not always secured\nto minimize the potential for theft, damage, or unauthorized access. For example, we\n\n                                         Page 14\n                       National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 10-07\n\n\nobserved network equipment stored in a janitorial closet (Figure 1). The rack holding the\nequipment was not locked; therefore anyone with access to the closet had access to the\nnetwork equipment.\n\n\n\n\n                 Figure 1. Network equipment stored in Janitorial Closet\n\nAt another location we observed a network switch stored in a lockable rack with the fiber\ncable and power cord protected by conduit (Figure 2). However, when we first observed\nthe rack, it was unlocked and the door was left open, exposing the network equipment to\ntheft, damage, or tampering. Another switch in the same facility was also stored in an\nunlocked rack (Figure 3). The key to this rack was initially located on top of the rack and\nduring the site visit the facility manager locked the rack and placed the key on his key\nring. In addition to the rack being unlocked, the fiber cable and power cord were not\nprotected and vulnerable to damage or tampering. Both of these examples occurred on a\nfloor accessible to the public. Doors separating the public museum from the employee\nside where the equipment was located were closed but not locked.\n\n\n\n\nFigure 2. Rack was unlocked           Figure 3. Rack was unlocked and key was\n                                      located on top of the rack\n\n\n                                         Page 15\n                       National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 10-07\n\n\nAccording to NIST SP 800-53 control PE-4, physical protections applied to information\nsystem distribution and transmission lines help prevent accidental damage, disruption,\nand physical tampering. Physical protections are necessary to help prevent\neavesdropping or in transit modification of unencrypted transmissions. In addition,\ncontrol PE-18 requires organizations to position information system components within\nthe facility to minimize potential damage from physical and environmental hazards and to\nminimize the opportunity for unauthorized access. Without proper controls in place the\nconfidentiality and availability of NARANet could be impacted.\n\nRecommendation\n\n15. The Assistant Archivist for Information Services/CIO in conjunction with the\nAssistant Archivist for Regional Record Services and the Assistant Archivist for\nPresidential Libraries should periodically monitor the network environments at the field\nsites to ensure network equipment and cables stored outside the computer rooms are\nprotected.\n\nManagement Comments\nThe Assistant Archivist for Information Services concurred with the recommendation.\n\nPhysical and Environmental Hazards to Network Equipment\n\nNetwork equipment was not always protected from physical and environmental hazards.\nThis occurred because racks were not provided to store the equipment properly. In\naddition, facilities owned by other Federal agencies required approval before changes\ncould be made. As a result, network equipment could be inadvertently or deliberately\nmisused, damaged, or destroyed.\n\nAccording to NARA\xe2\x80\x99s Physical and Environmental Protection Methodology control\nPE-18 \xe2\x80\x9cLocation of Information System Components,\xe2\x80\x9d NARA positions information\nsystem components within the facility to minimize potential damage from physical and\nenvironmental hazards and to minimize the opportunity for unauthorized access.\n\nIn one example, installation of a wall mounted rack with network equipment was not\nstrong enough to hold the rack and a jack stand was needed to support the weight of the\ncabinet (Figure 4). If the rack was to fall, the network equipment could be damaged or\ndestroyed. In another example, we found some NARA facilities were lacking the proper\nracks to store the IT equipment. Specifically, we observed a NARANet switch which\nwas placed on a temporary rack until the proper rack could be provided by NH\n(Figure 5). This places the equipment at an increased risk of damage because the\nequipment could be inadvertently knocked over.\n\n\n\n\n                                         Page 16\n                       National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 10-07\n\n\n\n\nFigure 4. Jack needed to hold rack in place        Figure 5. Switch on temporary rack\n\nAt two facilities a rack was not available to store the PBX telephone equipment\n(Figures 6 and 7). Without racks to secure the equipment in place there is an increased\nrisk that the equipment could be damaged, resulting in a loss of telephone service.\n\n\n\n\nFigure 6. PBX balanced on top of UPS                    Figure 7. PBX not in a rack\n\nWe also observed that additional environmental controls were not usually implemented to\nmitigate the effects of fire, heat, or other natural disasters. None of the facilities we\nvisited had heat or water alarms. For example, at one facility environmental controls had\nnot been implemented to mitigate the affect of a flood even though the facility is located\nin an area subject to flash flooding. Specifically, network equipment was stored in a\nroom in the basement which did not have a raised floor and water alarms were not used to\nalert officials to flooding in the room.\n\nWe observed at least two NARA facilities had water sprinkler systems in the computer\nrooms which could cause damage to the equipment if triggered. For example, a data\ncenter housing a critical NARA system had a wet pipe sprinkler system. According to\nNH officials, because the building is owned by another agency, they had to submit a\nrequest to replace the wet pipe sprinkler system with a gas system.\n\n\n\n\n                                         Page 17\n                       National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 10-07\n\n\nAdditional environmental hazards we observed included:\n   \xe2\x80\xa2\t One computer room had exterior windows and was located on the first floor;\n   \xe2\x80\xa2\t Only two facilities had raised floors in the computer room; and\n   \xe2\x80\xa2\t Not all facilities had the capability to shut off power to equipment in the computer\n      room during emergency situations.\nWithout proper environmental controls in place network equipment could be\ninadvertently damaged or destroyed.\n\nRecommendations\n16. The Assistant Archivist for Information Services/CIO in conjunction with the\nAssistant Archivist for Regional Record Services and the Assistant Archivist for\nPresidential Libraries should conduct a review to determine which facilities require racks\nand provide the necessary racks.\n17. The Assistant Archivist for Information Services/CIO in conjunction with the\nAssistant Archivist for Regional Record Services and the Assistant Archivist for\nPresidential Libraries should perform a risk assessment for each of the field offices to\ndetermine whether changes to the buildings are needed in order to properly protect\nnetwork equipment.\nManagement Comments\nThe Assistant Archivist for Information Services concurred with the recommendations.\n\n\nWireless Networks\n\nThree of the sites we visited had a wireless network as part of the local area network;\nhowever, NARA officials were not monitoring for unauthorized access to the network.\nThis occurred because NARA had bought the hardware needed for a monitoring tool but\nhad not yet implemented the tool. According to NIST SP 800-53 Control AC-18, the\norganization is to monitor for unauthorized wireless access. As a result, NARA does not\nknow whether unauthorized users or devices were attempting to access, or had already\naccessed, the wireless network.\n\nNARA is in the process of deploying wireless networks throughout the regions, including\nthe Presidential Libraries. Three sites we visited had already deployed wireless networks.\nWe found none of the three sites were using AirDefense. For example, at the Bush\nLibrary, the FOSA stated that the hardware for AirDefense had been purchased but it had\nnot been installed.\n\nAccording to NARA\xe2\x80\x99s Operations Architecture, AirDefense is a wireless network\nintrusion detection system that monitors wireless sensors for intrusion attempts coming in\nfrom wireless sources. NARA planned to start deploying sensors for the system in 2009,\nhowever, according to the CISO, the project team that was responsible for the wireless\nbuild-outs did not have the money to include sensor installation in FY 2009. The CISO\n\n\n                                          Page 18\n                        National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 10-07\n\n\nstated that a follow-on contract will be needed to install sensors at the existing sites in\nearly FY 2010.\n\nRecommendations\n\n18. The Assistant Archivist for Information Services/CIO should monitor for\nunauthorized wireless access to NARANet.\n\nManagement Comments\nThe Assistant Archivist for Information Services concurred with the recommendations.\n\n\n\n\n                                          Page 19\n                        National Archives and Records Administration\n\x0c                                                                                 OIGAuditReportNo.10-07\n\n\n\n           Appendix A: Site Visit Results\n                                                            Regional\n                                         Record Centers     Archives            Presidential Libraries\n\n\n                                \\,~\n                                                                                                                I\n                                         ,                                                         I\n\n\n\n\n                                                                  I                I\'                     I\n                                                                                          ,\n\n\n\nPhysical and Environmental\nControls Tested                                                           I                        \\\nIs there a separate computer room at     y      y     y     y     N      Y         Y      Y       Y       Y       Y\nthe facility?\nIs a key or access badge needed for     Badge   Key   Key   Key   N/A   Badge     Badge   Key     Key    Key   Badge\nentry?\nIs the room unmarked? (i.e. there\n                                                                                                                 Not\nshould be no visible signs to            y      N     N     N      Y     Y         N      Y       Y       N    Reviewed\nindicate there is computer                                                                                      (NR)\n\nequipment in the room)\nIs computer equipment stored\noutside the main computer facility       N      y     Y     Y     N/A    Y         Y      N       N       N     NR\nsecured (i.e. stored in a locked\nrack)?\nAre visitors signed in and escorted?     N      N     N     N     N      N         N      N       N       N       Y\n\nAre physical access logs                 N      N     N     N     N      N         N      N       N       N      N\nmaintained?\nDoes the room contain air                y      y     y     y     y      y         y          y   y       y      y\nconditioning?\nIs the room a reasonable\ntemperature? (i.e. the room does         y      y     y     y     y      y         y      y       y       y       y\nnot seem overly hot or cold, fans\nare not needed to cool the room)\nDoes the room contain smoke, heat,       N      N     N     N     N      N         N      N       N       N      N\nand water alarms?\nAre fire extinguishers kept near the     y      y     y     y     y      N         Y      Y       Y       N      NR\nequipment?\nIs the equipment free from dust?\n                                         y      y     y     y     y      y         y      y       y       NR      Y\n(i.e. there is no visible dust on the\nequipment)\nDoes the facility have an\nuninterruptible power supply or          y      y     y     y     y      y         y      y       y       y       y\nbackup generator installed for the\ncomputer equipment?\nAre surge protectors used?               y      y     N     Y      Y     Y         Y      Y       Y       Y      NR\n\nDoes each piece of equipment\ncontain a Blue NARA barcode              y      N     N     N     N      N         N      Y       N       N       Y\nand/or a Red NARA IT Hardware\nbarcode?\nIs the room housing the PBX              y      y     y     y     N/A    Y         Y      Y       Y       N       Y\nequipment locked?\n\x0cAttachment 1. Management Comments\n              on the Draft Report\n\x0c                        National Archives and Records Administration\n                                                                                          8601 Adelphi Road\n                                                                         College Park, Maryland 20740-6001\n\n\nDate            APR 21 2010\nReply to\nAttn of     Office of Information Services (NH)\n\nSubject     Comments on Draft OIG Audit Report 10-07, Audit ofNARA\'S Network Infrastructure\n\nTo          Office of Inspector General (OIG)\n\n\n            We offer the following comments on the subject draft report of our agency\'s infrastructure.\n            It is clear from the draft that the auditor spent considerable time developing the findings and\n            recommendations and we commend the draft\'s coherence, organization, and opportunities for\n            improving our network infrastruture when we implement the recommendations.\n\n            EXECUTIVE SUMMARY\n\n           In the middle of the first page, the statement is made that the weaknesses found in this audit\n           "could jeopardize the availability ofNARANet." Further, the first bulleted statement on the\n           page states: "The ChiefInformation Officer and her staff were unable to effectively manage\n           and assess the overall network security ofNARA\'s infrastructure because a complete and\n           accurate network diagram was not maintained."\n\n           We disagree with both statements. On the diagram issue, there is simply no "one" singular\n           diagram or topology that represents a complete, contemporaneous, and accurate depiction of\n           the entire network. Multiple documents that NH maintains serve this purpose. NH currently\n           maintains, among others, a broad set of network diagrams, including: NARA Network\n           Logical Design, Typical Wireless Pilot Logical Network A, Typical Wireless Pilot Physical\n           Network A, NARA WAN Frame Relay, Novell Groupwise Fully Meshed Network, COOP\n           Disaster Recovery Component Location, St. Louis COOP DR Network Infrastructure,\n           Rocket Center COOP Network Logical Design, NARA Ethernet Tap Deployment, Austin\n           Automation Center v5.5, ERA WAN Network Topology, DREN Connection at A-II, NARA\n           Access to ERA, and ERA WAN RC Physical. Most of these engineering drawings are\n           captured in NARA\'s Enterprise Architecture Operations Engineering Baseline document,\n           which we are in the process of updating to reflect recent changes such as the recent MPLS\n           network upgrade.\n\n           On the CIO managing the overall network security, this assessment is primarily done using\n           monitoring tools that provide real-time and near-real time reporting on threats and\n           vulnerabilities, not diagrams. Those tools are in place as is a POA&M process that provides\n           strong management controls when weaknesses are found in the course of network operations.\n           We assert that diagrams assist planning and change management processes, not day-to-day\n           network security operations.\n\x0c OBJECTIVE, SCOPE, METHODOLOGY\n\n We disagree with the statement near the end of page three that states "We originally planned to\n perform vulnerability scans of the network, however; NH was unable to provide us with a current\n listing ofIP addresses." Vulnerability scans do not rely on having IP addresses. NARA has a\n published range ofIP addresses and the auditor could have effectively performed a scan of this\n range and made an effective evaluation on the security status ofNARA based on the scan. The\n issue of effectively working with our NH-appointed point of contact for audits applies here; if\n there was any question of what IP address set the auditor was provided, the NH point of contact\n could have been contacted to rectify this situation.\n\n FINDINGS AND RECOMMENDATIONS\n\n Review of Network Devices\n\n Inaccurate and Incomplete Network Diagram\n\n We disagree with several findings in this section, most based on an over reliance on a flawed\n assumption about the proper use of network diagramming.\n\n    \xe2\x80\xa2   "This occurred because a complete and accurate network diagram was not maintained."\n\nUpdates to network diagrams are on-going, they are not static. While it is theoretically possible\nto develop drawings that are a "snapshot in time," changes to networking and engineering\ndiagrams are a dynamic and ongoing process. Further, as before, it is impossible to render on a\nsingle diagram the entirety of the NARANet infrastructure. A "full set" provides an accurate and\ncomplete picture.\n\n    \xe2\x80\xa2   "Specifically, NH officials did not have a process in place to update and maintain an\n        accurate network diagram and believed it was the contractor\'s responsibility to do so."\n\nAnd that is the case; NITTSS contractors do have this responsibility under the contract. We have\nadvised the contractor about schedule of their schedule of deliverables.\n\n    \xe2\x80\xa2   "By not having a complete network diagram, NH officials are not aware of potential\n        security vulnerabilities that may exist in the network."\n\nWe believe the determination and reliance oil a network diagram or topology to determine\nvulnerabilities is an assumption with limitations. First, any diagram has a potential latency in\nkeeping the document up-to-date with changes. Second, the context ofNARA\'s "flat" network\ndesign, and the limited and centrally controlled external access points, reduces the importance of\ndiagrams in evaluating the risks associated with network interfaces. And the flip side is true as\nwell; simply having a "perfect" network diagram/s does not constitute the broad assumption that\nNARA does not have security vulnerabilities.\n\x0c Recommendations:\n\n 1. The Assistant Archivist for Information Services/CIO should develop a comprehensive\n topology of the current network environment and maintain the drawing by updating the\n drawing periodically (i.e. monthly or quarterly).\n\n Response: Concur, but these are sets of "diagrams/topologies," and not a single rendering.\n\n 2. The Assistant Archivist for Information Services/CIO should develop network diagrams\n for each field office.\n\n Response: Concur.\n\n3. The Assistant Archivist for Information Services/CIO should assess and document the\nrisks involved with: a) the use of one firewall; b) the direct connection by an external\nagency into NARA\'s internal network; and c) traffic that can pass between a web server\nand the internal network without first going through the firewall.\n\nResponse: Concur.\n\nBoundary Protection: Firewall Rules and Policy Needs Improvement\n\nRecommendations:\n\n4. The Assistant Archivist for Information Services/CIO should perform a risk analysis to\ndevelop a list of the types of traffic needed by the organization.\n\nResponse: Do not concur. We conduct risk assessments system-by-system in the C&A process\nand see no compelling business reason to change this strategy.\n\n5. The Assistant Archivist for Information Services/CIO should create a firewall policy to\nestablish rules for inbound and outbound traffic and how the firewall will be managed and\nupdated.\n\nResponse: Concur.\n\n6. The Assistant Archivist for Information Services/CIO should periodically review the\nfirewall configuration and conduct penetration testing at least annually.\n\nResponse: Concur.\n\n7. The Assistant Archivist for Information Services/CIO should review the St. Louis\nfirewall configuration and ensure necessary firewall rules are included.\n\nResponse: Concur.\n\x0c Firewall Logs Not Reviewed and Assessed\n At the bottom of page 8, the draft states in part: " ...however, the CIa has not assigned\n responsibility for reviewing the logs." In the second paragraph on page 9, the draft reads in part:\n "We found that while firewall logs are currently being sent to the SIM, responsibility for\n reviewing these logs and acting on the information has not been assigned." These statements are\n not entirely accurate. Section 7.9 ofthe NITTSS Performance Work Statement clearly assigns\n responsibility for reviewing firewall logs to the NITTS contractor. And to facilitate this work the\n Government has put the NetForensics SIM system in place that consolidates and automates the\n log analysis function. Basic SIM functionality is now in place and we are working to get more\n systems reporting to the SIM and placing additional log reviews in place. While we accept the\n general spirit of the word "expedite," in the recommendation below, we are already using all due\n diligence to fully implement the SIM.\n\nRecommendations:\n\n8. The Assistant Archivist for Information Services/CIO should assign responsibility to the\nappropriate individuals to monitor the firewall log alerts to determine if attacks or\ninappropriate activity has occurred.\n\nResponse: Concur.\n\n9. The Assistant Archivist for Information Services/CIO should expedite implementation\nof the SIM tool.\n\nResponse: Concur.\n\nAccess Controls\n\nLogical Access Controls Need to be Strengthened\n\nRecommendations:\n\n10. The Assistant Archivist for Information Services/CIO should implement multifactor\nauthentication for network access to infrastructure devices and update the IT Security\nMethodology for Identification and Authentication to reflect new requirements in NIST SP\n800-53.\n\nResponse: Concur to the extent that our actions reflect revision 3 to NIST 800-53.\n\n11. The Assistant Archivist for Information Services/CIO should periodically review\na) the access list for the central access control server to ensure accounts belonging to\nterminated staff are secured and b) logs for the central access control server to ensure\nsuccessfullogins belong to current employees or contractors.\n\nResponse: Concur.\n\x0c 12. The Assistant Archivist for Information Services/CIO should develop a process to\n ensure NHT is alerted to changes in IT contractor staff so that passwords can be changed.\n\n Response: Concur.\n\n 13. The Assistant Archivist for Information Services/CIO should review the administrator\n accounts on field office servers and delete any unnecessary accounts.\n\n Response: Concur.\n\n Physical and Environmental Protections at Field Sites Need Improvement\n\n We need to point out that many of the issues in the following sections also are the responsibility\n of other Offices at NARA (particularly NA) to ensure that NARA critical infrastructure\n components are properly protected and facilities are properly maintained. NH is provided space\n to operate equipment at these sites and is relying on NA, NL, and NR to ensure adequate security\n protections based on legal requirements and best business practices. We are working with field\n offices to properly protect and maintain all our IT assets.\n Physical Access Controls to Computer Rooms and Closets\n\n Recommendations:\n\n14. The Archivist should direct the Assistant Archivist for Regional Record Services the\nAssistant Archivist for Presidential Libraries, and the Assistant Archivist for Information\nServices to work with the Space and Security Management Division to develop a\nmechanism to track access reviews and key inventories at the field sites.\n\nResponse: Concur.\n\nPhysical Access to Network Equipment and Cables outside the Computer Room\n\nRecommendations:\n\n15. The Assistant Archivist for Information Services/CIO in conjunction with the Assistant\nArchivist for Regional Record Services and the Assistant Archivist for Presidential\nLibraries should periodically monitor the network environments at the field sites to ensure\nnetwork equipment and cables stored outside the computer rooms are protected.\n\nResponse: Concur.\n\x0c Physical and Environmental Hazards to Network Equipment\n\n Recommendations:\n\n 16. The Assistant Archivist for Information Services/CIO in conjunction with the Assistant\n Archivist for Regional Record Services and the Assistant Archivist for Presidential\n Libraries should conduct a review to determine which facilities require racks and provide\n the necessary racks.\n\n Response: Concur.\n\n17. The Assistant Archivist for Information Services/CIO in conjunction with the Assistant\nArchivist for Regional Record Services and the Assistant Archivist for Presidential\nLibraries should perform a risk assessment for each of the field offices to determine\nwhether changes to the buildings are needed in order to properly protect network\nequipment.\n\nResponse: Concur.\n\nWireless Networks\n\nRecommendations:\n\n18. The Assistant Archivist for Information Services/CIO should monitor for unauthorized\nwireless access to NARANet.\n\nResponse: Concur.\n\nIf you have any comments or questions, please contact Steve Heaps via email or on\n301-837-3170.\n\n\n\n   )1axile !f\'f)~                          .\n~~~-HAMORPHY                   U_\nAssistant Archivist for Information Services\n\x0c'